appl/kx/krb5.c

   1 /*
   2  * Copyright (c) 1995 - 2005 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  *
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  *
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * 3. Neither the name of the Institute nor the names of its contributors
  18  *    may be used to endorse or promote products derived from this software
  19  *    without specific prior written permission.
  20  *
  21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  31  * SUCH DAMAGE.
  32  */
  33
  34 #include "kx.h"
  35
  36 RCSID("$Id$");
  37
  38 #ifdef KRB5
  39
  40 struct krb5_kx_context {
  41     krb5_context context;
  42     krb5_keyblock *keyblock;
  43     krb5_crypto crypto;
  44     krb5_principal client;
  45     krb5_log_facility *log;
  46
  47 };
  48
  49 typedef struct krb5_kx_context krb5_kx_context;
  50
  51 #define K5DATA(kc) ((krb5_kx_context*)kc->data)
  52 #define CONTEXT(kc) (K5DATA(kc)->context)
  53
  54 /*
  55  *
  56  */
  57
  58 static void
  59 ksyslog(krb5_context context, krb5_error_code ret, const char *fmt, ...)
  60         __attribute__((__format__(__printf__, 3, 0)));
  61
  62 static void
  63 ksyslog(krb5_context context, krb5_error_code ret, const char *fmt, ...)
  64 {
  65     const char *msg;
  66     char *str = NULL;
  67     va_list va;
  68     int aret;
  69
  70     msg = krb5_get_error_message(context, ret);
  71
  72     va_start(va, fmt);
  73     aret = vasprintf(&str, fmt, va);
  74     va_end(va);
  75
  76     syslog(LOG_ERR, "%s: %s", aret != -1 ? str : "(nil)", msg);
  77
  78     krb5_free_error_message(context, msg);
  79     if (aret != -1)
  80         free(str);
  81 }
  82
  83 /*
  84  * Destroy the krb5 context in `c'.
  85  */
  86
  87 static void
  88 krb5_destroy (kx_context *kc)
  89 {
  90     if (K5DATA(kc)->keyblock)
  91         krb5_free_keyblock (CONTEXT(kc), K5DATA(kc)->keyblock);
  92     if (K5DATA(kc)->crypto)
  93         krb5_crypto_destroy (CONTEXT(kc), K5DATA(kc)->crypto);
  94     if (K5DATA(kc)->client)
  95         krb5_free_principal (CONTEXT(kc), K5DATA(kc)->client);
  96     if (CONTEXT(kc))
  97         krb5_free_context (CONTEXT(kc));
  98     memset (kc->data, 0, sizeof(krb5_kx_context));
  99     free (kc->data);
 100 }
 101
 102 /*
 103  * Read the authentication information from `s' and return 0 if
 104  * succesful, else -1.
 105  */
 106
 107 static int
 108 krb5_authenticate (kx_context *kc, int s)
 109 {
 110     krb5_auth_context auth_context = NULL;
 111     krb5_error_code ret;
 112     krb5_principal server;
 113     const char *host = kc->host;
 114
 115     ret = krb5_sname_to_principal (CONTEXT(kc),
 116                                    host, "host", KRB5_NT_SRV_HST, &server);
 117     if (ret) {
 118         krb5_warn (CONTEXT(kc), ret, "krb5_sname_to_principal: %s", host);
 119         return 1;
 120     }
 121
 122     ret = krb5_sendauth (CONTEXT(kc),
 123                          &auth_context,
 124                          &s,
 125                          KX_VERSION,
 126                          NULL,
 127                          server,
 128                          AP_OPTS_MUTUAL_REQUIRED | AP_OPTS_USE_SUBKEY,
 129                          NULL,
 130                          NULL,
 131                          NULL,
 132                          NULL,
 133                          NULL,
 134                          NULL);
 135     if (ret) {
 136         if(ret != KRB5_SENDAUTH_BADRESPONSE)
 137             krb5_warn (CONTEXT(kc), ret, "krb5_sendauth: %s", host);
 138         return 1;
 139     }
 140
 141     ret = krb5_auth_con_getkey (CONTEXT(kc), auth_context,
 142                                 &K5DATA(kc)->keyblock);
 143     if (ret) {
 144         krb5_warn (CONTEXT(kc), ret, "krb5_auth_con_getkey: %s", host);
 145         krb5_auth_con_free (CONTEXT(kc), auth_context);
 146         return 1;
 147     }
 148
 149     ret = krb5_crypto_init (CONTEXT(kc), K5DATA(kc)->keyblock,
 150                             0, &K5DATA(kc)->crypto);
 151     if (ret) {
 152         krb5_warn (CONTEXT(kc), ret, "krb5_crypto_init");
 153         krb5_auth_con_free (CONTEXT(kc), auth_context);
 154         return 1;
 155     }
 156     return 0;
 157 }
 158
 159 /*
 160  * Read an encapsulated krb5 packet from `fd' into `buf' (of size
 161  * `len').  Return the number of bytes read or 0 on EOF or -1 on
 162  * error.
 163  */
 164
 165 static ssize_t
 166 krb5_read (kx_context *kc,
 167            int fd, void *buf, size_t len)
 168 {
 169     size_t data_len, outer_len;
 170     krb5_error_code ret;
 171     unsigned char tmp[4];
 172     krb5_data data;
 173     int l;
 174
 175     l = krb5_net_read (CONTEXT(kc), &fd, tmp, 4);
 176     if (l == 0)
 177         return l;
 178     if (l != 4)
 179         return -1;
 180     data_len  = (tmp[0] << 24) | (tmp[1] << 16) | (tmp[2] << 8) | tmp[3];
 181     outer_len = krb5_get_wrapped_length (CONTEXT(kc),
 182                                          K5DATA(kc)->crypto, data_len);
 183     if (outer_len > len)
 184         return -1;
 185     if (krb5_net_read (CONTEXT(kc), &fd, buf, outer_len) != outer_len)
 186         return -1;
 187
 188     ret = krb5_decrypt (CONTEXT(kc), K5DATA(kc)->crypto,
 189                         KRB5_KU_OTHER_ENCRYPTED,
 190                         buf, outer_len, &data);
 191     if (ret) {
 192         krb5_warn (CONTEXT(kc), ret, "krb5_decrypt");
 193         return -1;
 194     }
 195     if (data_len > data.length) {
 196         krb5_data_free (&data);
 197         return -1;
 198     }
 199     memmove (buf, data.data, data_len);
 200     krb5_data_free (&data);
 201     return data_len;
 202 }
 203
 204 /*
 205  * Write an encapsulated krb5 packet on `fd' with the data in `buf,
 206  * len'.  Return len or -1 on error.
 207  */
 208
 209 static ssize_t
 210 krb5_write(kx_context *kc,
 211            int fd, const void *buf, size_t len)
 212 {
 213     krb5_data data;
 214     krb5_error_code ret;
 215     unsigned char tmp[4];
 216     size_t outlen;
 217
 218     ret = krb5_encrypt (CONTEXT(kc), K5DATA(kc)->crypto,
 219                         KRB5_KU_OTHER_ENCRYPTED,
 220                         buf, len, &data);
 221     if (ret){
 222         krb5_warn (CONTEXT(kc), ret, "krb5_write");
 223         return -1;
 224     }
 225
 226     outlen = data.length;
 227     tmp[0] = (len >> 24) & 0xFF;
 228     tmp[1] = (len >> 16) & 0xFF;
 229     tmp[2] = (len >>  8) & 0xFF;
 230     tmp[3] = (len >>  0) & 0xFF;
 231
 232     if (krb5_net_write (CONTEXT(kc), &fd, tmp, 4) != 4 ||
 233         krb5_net_write (CONTEXT(kc), &fd, data.data, outlen) != outlen) {
 234         krb5_data_free (&data);
 235         return -1;
 236     }
 237     krb5_data_free (&data);
 238     return len;
 239 }
 240
 241 /*
 242  * Copy from the unix socket `from_fd' encrypting to `to_fd'.
 243  * Return 0, -1 or len.
 244  */
 245
 246 static int
 247 copy_out (kx_context *kc, int from_fd, int to_fd)
 248 {
 249     char buf[32768];
 250     ssize_t len;
 251
 252     len = read (from_fd, buf, sizeof(buf));
 253     if (len == 0)
 254         return 0;
 255     if (len < 0) {
 256         krb5_warn (CONTEXT(kc), errno, "read");
 257         return len;
 258     }
 259     return krb5_write (kc, to_fd, buf, len);
 260 }
 261
 262 /*
 263  * Copy from the socket `from_fd' decrypting to `to_fd'.
 264  * Return 0, -1 or len.
 265  */
 266
 267 static int
 268 copy_in (kx_context *kc, int from_fd, int to_fd)
 269 {
 270     char buf[33000];            /* XXX */
 271
 272     ssize_t len;
 273
 274     len = krb5_read (kc, from_fd, buf, sizeof(buf));
 275     if (len == 0)
 276         return 0;
 277     if (len < 0) {
 278         krb5_warn (CONTEXT(kc), errno, "krb5_read");
 279         return len;
 280     }
 281
 282     return krb5_net_write (CONTEXT(kc), &to_fd, buf, len);
 283 }
 284
 285 /*
 286  * Copy data between `fd1' and `fd2', encrypting in one direction and
 287  * decrypting in the other.
 288  */
 289
 290 static int
 291 krb5_copy_encrypted (kx_context *kc, int fd1, int fd2)
 292 {
 293     for (;;) {
 294         fd_set fdset;
 295         int ret;
 296
 297         if (fd1 >= FD_SETSIZE || fd2 >= FD_SETSIZE) {
 298             krb5_warnx (CONTEXT(kc), "fd too large");
 299             return 1;
 300         }
 301
 302         FD_ZERO(&fdset);
 303         FD_SET(fd1, &fdset);
 304         FD_SET(fd2, &fdset);
 305
 306         ret = select (max(fd1, fd2)+1, &fdset, NULL, NULL, NULL);
 307         if (ret < 0 && errno != EINTR) {
 308             krb5_warn (CONTEXT(kc), errno, "select");
 309             return 1;
 310         }
 311         if (FD_ISSET(fd1, &fdset)) {
 312             ret = copy_out (kc, fd1, fd2);
 313             if (ret <= 0)
 314                 return ret;
 315         }
 316         if (FD_ISSET(fd2, &fdset)) {
 317             ret = copy_in (kc, fd2, fd1);
 318             if (ret <= 0)
 319                 return ret;
 320         }
 321     }
 322 }
 323
 324 /*
 325  * Return 0 if the user authenticated on `kc' is allowed to login as
 326  * `user'.
 327  */
 328
 329 static int
 330 krb5_userok (kx_context *kc, char *user)
 331 {
 332     krb5_error_code ret;
 333     char *tmp;
 334
 335     ret = krb5_unparse_name (CONTEXT(kc), K5DATA(kc)->client, &tmp);
 336     if (ret)
 337         krb5_err (CONTEXT(kc), 1, ret, "krb5_unparse_name");
 338     kc->user = tmp;
 339
 340     return !krb5_kuserok (CONTEXT(kc), K5DATA(kc)->client, user);
 341 }
 342
 343 /*
 344  * Create an instance of an krb5 context.
 345  */
 346
 347 void
 348 krb5_make_context (kx_context *kc)
 349 {
 350     krb5_kx_context *c;
 351     krb5_error_code ret;
 352
 353     kc->authenticate    = krb5_authenticate;
 354     kc->userok          = krb5_userok;
 355     kc->read            = krb5_read;
 356     kc->write           = krb5_write;
 357     kc->copy_encrypted  = krb5_copy_encrypted;
 358     kc->destroy         = krb5_destroy;
 359     kc->user            = NULL;
 360     kc->data            = malloc(sizeof(krb5_kx_context));
 361
 362     if (kc->data == NULL) {
 363         syslog (LOG_ERR, "failed to malloc %lu bytes",
 364                 (unsigned long)sizeof(krb5_kx_context));
 365         exit(1);
 366     }
 367     memset (kc->data, 0, sizeof(krb5_kx_context));
 368     c = (krb5_kx_context *)kc->data;
 369     ret = krb5_init_context (&c->context);
 370     if (ret) {
 371         syslog (LOG_ERR, "failed initialise krb5 context");
 372         exit(1);
 373     }
 374 }
 375
 376 /*
 377  * Receive authentication information on `sock' (first four bytes
 378  * in `buf').
 379  */
 380
 381 int
 382 recv_v5_auth (kx_context *kc, int sock, u_char *buf)
 383 {
 384     uint32_t len;
 385     krb5_error_code ret;
 386     krb5_principal server;
 387     krb5_auth_context auth_context = NULL;
 388     krb5_ticket *ticket;
 389
 390     if (memcmp (buf, "\x00\x00\x00\x13", 4) != 0)
 391         return 1;
 392     len = (buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | (buf[3]);
 393     if (net_read(sock, buf, len) != len) {
 394         syslog (LOG_ERR, "read: %m");
 395         exit (1);
 396     }
 397     if (len != sizeof(KRB5_SENDAUTH_VERSION)
 398         || memcmp (buf, KRB5_SENDAUTH_VERSION, len) != 0) {
 399         syslog (LOG_ERR, "bad sendauth version: %.8s", buf);
 400         exit (1);
 401     }
 402
 403     krb5_make_context (kc);
 404     krb5_openlog(CONTEXT(kc), "kxd", &K5DATA(kc)->log);
 405     krb5_set_warn_dest(CONTEXT(kc), K5DATA(kc)->log);
 406
 407     ret = krb5_sock_to_principal (CONTEXT(kc), sock, "host",
 408                                   KRB5_NT_SRV_HST, &server);
 409     if (ret) {
 410         ksyslog (CONTEXT(kc), ret, "krb5_sock_to_principal");
 411         exit (1);
 412     }
 413
 414     ret = krb5_recvauth (CONTEXT(kc),
 415                          &auth_context,
 416                          &sock,
 417                          KX_VERSION,
 418                          server,
 419                          KRB5_RECVAUTH_IGNORE_VERSION,
 420                          NULL,
 421                          &ticket);
 422     krb5_free_principal (CONTEXT(kc), server);
 423     if (ret) {
 424         ksyslog (CONTEXT(kc), ret, "krb5_recvauth");
 425         exit (1);
 426     }
 427
 428     ret = krb5_auth_con_getkey (CONTEXT(kc), auth_context, &K5DATA(kc)->keyblock);
 429     if (ret) {
 430         ksyslog (CONTEXT(kc), ret, "krb5_auth_con_getkey");
 431         exit (1);
 432     }
 433
 434     ret = krb5_crypto_init (CONTEXT(kc), K5DATA(kc)->keyblock, 0, &K5DATA(kc)->crypto);
 435     if (ret) {
 436         ksyslog (CONTEXT(kc), ret, "krb5_crypto_init");
 437         exit (1);
 438     }
 439
 440     K5DATA(kc)->client = ticket->client;
 441     ticket->client = NULL;
 442     krb5_free_ticket (CONTEXT(kc), ticket);
 443
 444     krb5_auth_con_free(CONTEXT(kc), auth_context);
 445
 446     return 0;
 447 }
 448
 449 #endif /* KRB5 */